Three “Must Have” SD-WAN 2.0 Security Capabilities
Featured

Increased adoption of cloud-based architectures and network virtualization has driven a high degree of automation and operational efficiency within the data center (DC) and more recently into the WAN and public cloud. This allows enterprises to deliver unimagined service agility, unlocking a new generation of business applications.

Cloud-based architectures are “ephemeral” in nature and can be thought of as having a fast-changing and dynamic virtual layer used to deliver these applications across an underlying shared pool of network resources. This very nature changes the security game rendering the more static approach of traditional security measures, such as firewalls (FW), insufficient. Generally placed at the network perimeter, these FWs are not as effective against new breeds of malware and other cyber-attacks that infect in more insidious ways within the perimeter of a data center, public cloud, or extended enterprise WAN network.

SD-WAN 2.0

The first generation of SD-WAN deployments have been primarily focused on the delivery of agile WAN connectivity that increased reach and decreased operational complexity. Today, enterprises expect more. They want to use the SD-WAN infrastructure to deliver a range of IT services across their entire network, with end-to-end security a top priority.

With SD-WAN 2.0, IT managers will benefit from a seamless and secure end-to-end network managed by a single pane of glass with a single policy and network governance model. With this infrastructure in place, IT managers can manage applications that span private data centers (DCs), public clouds, and branch locations from a single highly automated management and control system.

Many IT organizations build security rules based on faith and historical use-cases. This approach may have worked when business applications and users were trusted and confined to single locations, but in today’s cloud architecture it’s inefficient and risky. Business applications have become more complex, dynamic and distributed, and users are more mobile and global. Enterprises today have thousands of users in hundreds of global sites that access SaaS-based applications as well as ones that are either in public or private clouds, dramatically increasing an organization’s attack surface making network security a massive undertaking.

To address this new reality, an SD-WAN 2.0 platform provides enterprise IT managers with comprehensive real-time visibility into all application traffic flowing across the entire network, including the ability to collect and display per-flow end-to-end traffic patterns with source and destination as well as traffic type and rates. The platform should allow IT managers to use this information to automatically create security rules based on real-time traffic and current business goals.

By using application-based traffic flow data, IT managers can visualize service tiers (e.g., web server, database, video streaming and optimization), workloads (e.g. Virtual Machine (VM) #1, VM #2, Container #1) and type (TCP, UDP) that apply to each application flow, as well as traffic patterns between each tier. This knowledge not only provides insight into what applications and resources are used, but also how to specifically segment the network for each application to ascertain what automated security policies should be applied.

Understanding this application-level traffic information is important to validate compliance requirements. There may be network and security requirements that need to be met to abide by a corporate information security policy. Using an SD-WAN 2.0 platform will ensure tighter security for your entire network, making compliance validation more precise and highly automated.

Comprehensive end-to-end micro-segmentation and support for third-party security ecosystem

Modern attacks seek vulnerabilities to enter the network, before moving laterally within the perimeter east to west to target high-value targets. With a network that extends beyond the DC into cloud and the WAN, the second “must have” SD-WAN 2.0 capability is “software-defined” security measures to supplement traditional perimeter-based security to ward off these lateral attacks.

Leveraging the aforementioned comprehensive flow visibility, IT managers are better equipped to segment each application in advance, assigning service tiers and supporting workloads that each application uses. With per-application segmentation, IT managers can create policies to isolate application-specific traffic and all associated network resources within its own secure logical domain. This must be supported across all locations and workloads. As network resources change throughout the lifecycle of the application, the security measures will dynamically follow, eliminating the requirement for any custom or manual security configuration. This technique, known as micro-segmentation, is commonly limited to the WAN in SD-WAN 1.0 deployments.

What is really needed and what SD-WAN 2.0 offers is true end-to-end micro-segmentation that spans all remote locations, as well as public DCs, and private clouds. In fact, SD-WAN 2.0 micro-segmentation extends from the LAN in a remote location all the way to the application workloads inside the data center, ensuring seamless connectivity with complete protection. With this capability, SD-WAN 2.0 will prevent lateral attacks originating in remote locations from ever reaching critical assets inside the DC, something that traditional SD-WAN deployments fail to do.

The solution must have the ability to create and automate a comprehensive overarching approach that includes the traditional network or perimeter FWs, while seamlessly integrating with 3rd party Next-Generation FWs (NGFWs) for enhanced east to west security. SD-WAN 2.0’s infrastructure should provide complete freedom to host these NGFWs on a uCPE in a remote location, or connect to them anywhere else including from a Software as a Service (SaaS) based security service. The IT manager’s choice to build in specific security capabilities should not be limited.

Dynamic threat response

Leveraging SD-WAN 2.0’s real-time, per-application flow analytics across the entire network, IT managers can dynamically understand traffic within the perimeter of the network across the DCs, branches, or public clouds. The third “must have” security capability that SD-WAN 2.0 platforms deliver is the ability to define and implement automated policies that provide a dynamic threat response by responding to suspicious traffic flows in real-time without user intervension. Some examples include:

Real-time alerts that inform the IT manager of suspicious activity for each application, right down to the service-tier level of granularity. For example, an alert when a certain TCP port on a virtual DB server starts receiving an unexpected amount of traffic from a new source.

Suspicious traffic can be automatically redirected or copied to an Intrustion Prevention System (IPS) or NGFW for a more in-depth analysis.

Suspicious traffic sources can be quarantined and all of its traffic blocked automatically by the system upon detection.

With true end-to-end governance, SD-WAN 2.0 empowers the IT manager with a platform to leverage all security tools under a single point of control for all applications across the entire network regardless of where it came from.

Conclusion

Traditional perimeter-based security is no longer sufficient with cloud-based architectures and network virtualization. With the emergence of IoT, AI, 5G, increased use of Wi-Fi, and heightened employee mobility, enterprises are rapidly moving toward more unique devices, endpoints, and traffic – and unfortunately many more security concerns. The scale of the networks and the attack surface will continue to rapidly grow. It is crucial for enterprise IT managers to take advantage of SD-WAN 2.0’s end-to-end SDN-based programmability and policy-driven automation, extending from the WAN into public and private cloud to leverage the three “must have” security capabilities.

Patrick McCabe is a senior marketing manager at Nuage Networks and is responsible for promoting SDN products and solutions for service providers and enterprises. Patrick has held a number of engineering, sales, and marketing roles during his 25 years in the telecommunications industry. He was educated at St Francis Xavier University and Technical University of Nova Scotia (DalTech), and holds Bachelor and a Masters degrees in Engineering.